14 May 2026 Vulnerability

Microsoft's May 2026 Patch Tuesday: Two Critical RCE Flaws Every Australian Business Must Patch Now

On 13 May 2026, Microsoft released its monthly Patch Tuesday update addressing more than 120 security vulnerabilities across Windows, Office, Azure, and related products. Two vulnerabilities dominate the security community's attention: a critical remote code execution flaw in the Windows DNS client (CVE-2026-41096) and a second critical RCE in the Windows Netlogon service (CVE-2026-41089). Both carry a CVSS score of 9.8 — the highest attainable — and neither requires attacker authentication or victim interaction to exploit. For Australian businesses running Windows, this is not an optional patch cycle.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

May 2026 Patch Tuesday: 120+ Vulnerabilities Fixed, Two Demand Immediate Attention

Microsoft's May 2026 Patch Tuesday, released on 13 May, addressed more than 120 security vulnerabilities spanning Windows, Microsoft Office, Azure, Dynamics 365, and the Edge browser. According to Bleeping Computer's coverage, none of the flaws were listed as publicly known or actively exploited at the time of release — a relative rarity given recent Patch Tuesday cycles that included multiple zero-days. That said, the absence of confirmed exploitation is not the same as an absence of risk, and two vulnerabilities in this batch stand in a category of their own.

Among the critical vulnerabilities patched, the security community has converged on two as the most urgent:

CVE-2026-41096 — Windows DNS Client Remote Code Execution Vulnerability, CVSS 9.8 (Critical). A heap-based buffer overflow triggered by a crafted DNS response. No authentication or user interaction required.
CVE-2026-41089 — Windows Netlogon Remote Code Execution Vulnerability, CVSS 9.8 (Critical). A stack-based buffer overflow in the Netlogon Remote Protocol (MS-NRPC). Unauthenticated, network-exploitable, and particularly dangerous on domain controllers.

Both vulnerabilities were highlighted by Krebs on Security, Sophos, and Rapid7 as the patches to prioritise above all others in this cycle. The Zero Day Initiative similarly flagged them as standout risks. For any organisation running Windows — which encompasses the overwhelming majority of Australian businesses — these two flaws are the reason this month's Patch Tuesday cannot be deferred.

The broader release also addressed vulnerabilities in Windows Hyper-V, Microsoft SharePoint Server, and Remote Desktop Services, but none carry the combination of CVSS 9.8 severity, zero-authentication exploitation, and near-universal attack surface that make CVE-2026-41096 and CVE-2026-41089 so pressing. The rest of the patch batch is worth applying on your usual cycle; these two are not.

CVE-2026-41096: Why a DNS Flaw Can Hand Over Your Entire Machine

The Windows DNS Client is not an optional service. It runs on every modern Windows machine — desktops, laptops, servers — and is responsible for resolving domain names into IP addresses. When you open a browser, connect to a corporate file share, or your computer checks for software updates, the DNS Client is involved. That ubiquity is precisely what makes CVE-2026-41096 so alarming.

The vulnerability is a heap-based buffer overflow in the DNS Client's response-parsing logic. When a Windows machine receives a DNS response — the server-side reply to a name lookup — the DNS Client processes that response to extract the IP address. CVE-2026-41096 exists because the parsing code does not adequately validate the length of certain response data before writing it to a fixed-size heap buffer. A specially crafted DNS response, containing an oversized payload, causes the write to overflow the buffer's boundary and corrupt adjacent heap memory.

From there, a skilled attacker can manipulate what lands in that corrupted memory region to redirect code execution — classic heap exploitation. Because the DNS Client runs with system-level privileges on many Windows configurations, a successful exploit can yield code execution at that privilege level without the attacker ever providing a username or password, and without the victim needing to click on anything.

The attack path requires the attacker to be in a position to deliver a malicious DNS response to the target. That position can be reached in several ways: a compromised upstream DNS resolver, a man-in-the-middle position on the same network (such as a public Wi-Fi café), a rogue DNS server configured via DHCP poisoning, or DNS cache poisoning at an ISP level. On networks that do not enforce DNSSEC or encrypted DNS, the attack surface is significant. This vulnerability affects Windows 11 and Windows Server 2022 and 2025.

For Australian businesses whose staff work from home or connect through shared office Wi-Fi, the scenario of an attacker occupying a position to feed poisoned DNS responses is not theoretical. It is the same threat model behind many corporate network intrusions — and May 2026's Patch Tuesday has now assigned it a name and a CVSS 9.8 score.

CVE-2026-41089: When the Netlogon Service Becomes a Worm Vector

What Netlogon does and why it matters

The Netlogon service implements the Netlogon Remote Protocol (MS-NRPC), a Microsoft-proprietary protocol that handles authentication communication between Windows clients and domain controllers. When a user logs into a Windows domain — the standard setup for virtually every business running Active Directory — Netlogon is the service that validates their credentials against the domain controller and establishes the secure channel used for that session. Domain controllers are the highest-privilege servers in a Windows network. Compromising one is, functionally, compromising everything.

The technical flaw

CVE-2026-41089 is a stack-based buffer overflow rooted in an integer overflow within Netlogon's authentication handshake processing. During the MS-NRPC handshake, the Netlogon service processes a caller-specified length value from the incoming network packet. That value is not adequately validated before it is used to size a stack allocation and copy data into it. A crafted network packet with an oversized length value causes the stack buffer to be overwritten — a classic condition for returning arbitrary shellcode.

What elevates this beyond a typical server vulnerability is the exploitation profile: unauthenticated, no user interaction, and executable over any network path that can reach the Netlogon port (TCP 445 / 49152–65535 dynamic RPC). The vulnerability has been described by security vendors as potentially wormable, meaning a single exploited domain controller could be used to send crafted Netlogon requests to other domain controllers on the same network without additional attacker intervention.

The Australian context

A significant proportion of Australian businesses with more than ten employees operate Windows domains managed by on-premises domain controllers, or hybrid configurations where domain controllers are co-located in a data centre or cloud environment. Many of these are small and medium businesses that lack dedicated security operations staff — exactly the organisations that are unlikely to have applied the May 2026 patches within 48 hours of release. Attackers targeting Australian SMBs are well aware of this lag. Ransomware operators in particular seek out domain controllers because administrator access to one unlocks credential harvesting and deployment of ransomware payloads across every machine in the organisation simultaneously.

The Australian Signals Directorate (ASD) identified domain controller compromise as a recurring theme in Australian cyber incident response cases reviewed in its Annual Cyber Threat Report 2024–2025. CVE-2026-41089 is exactly the class of vulnerability that enables that initial foothold.

What Australian Businesses Should Do Right Now

Apply the May 2026 Patch Tuesday updates immediately

The single most important action is to apply the May 2026 cumulative updates to all Windows endpoints, paying particular attention to domain controllers and internet-facing servers. Microsoft has made the patches available via Windows Update, Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager (formerly SCCM), and Microsoft Update Catalogue. If your domain controllers are not set to receive automatic updates — a common configuration to avoid unexpected reboots during business hours — those need to be patched manually and with urgency.

The ASD's Essential Eight framework, which the Australian government recommends as the baseline for all organisations, includes patch management as one of its eight core mitigations. Under Essential Eight Maturity Level 2, operating system patches rated Critical must be applied within 48 hours of release. Both CVE-2026-41096 and CVE-2026-41089 are rated Critical. If your organisation is targeting Essential Eight compliance — or is required to maintain it under a government contract — you are already past the clock on these two flaws.

Isolate domain controllers from unnecessary network exposure

While patching is underway, network segmentation is your next line of defence. Domain controllers should not be directly reachable from general office workstations or, worse, from external networks. If your network architecture allows arbitrary machines to reach Netlogon ports on domain controllers, that exposure should be reviewed regardless of this patch cycle. Firewall rules limiting Netlogon access to only known, managed Windows clients significantly reduce the exploitable surface area for CVE-2026-41089.

Encrypt your DNS traffic while the patch rolls out

For the DNS client vulnerability (CVE-2026-41096), patching is the definitive fix — but if you have remote workers or users on networks you do not control, encrypting DNS traffic in the interim is a practical mitigation. When DNS queries travel through an encrypted tunnel, rogue DNS servers cannot intercept or manipulate the responses that reach the Windows DNS Client.

A VPN that routes DNS through its own hardened infrastructure is one way to achieve this. NordVPN routes all DNS queries through its own encrypted DNS servers when the VPN is active, preventing third-party servers — including rogue or poisoned ones — from delivering crafted responses to Windows endpoints. It also includes Threat Protection Pro, which blocks connections to known malicious domains at the DNS layer before a crafted response can even be processed. This does not replace patching, but it meaningfully reduces exposure for remote workers in the period between vulnerability disclosure and patch deployment. NordVPN supports Windows, macOS, iOS, and Android, making it practical across a mixed device fleet.

Patch Management Realities for Australian SMBs — and a Layered Defence

The patch lag problem

Research consistently shows that Australian small and medium businesses take longer than recommended timeframes to apply operating system patches. The reasons are predictable: patches sometimes break line-of-business applications, IT staff are thin or contracted, and rebooting servers during business hours disrupts operations. These are real constraints, not excuses. The challenge for May 2026 is that CVE-2026-41096 and CVE-2026-41089 represent exactly the class of vulnerability that attackers scan for and exploit within days of disclosure — not weeks. The publication of a CVSS 9.8 rating and a detailed technical description in vendor advisories and security blogs effectively hands researchers and attackers alike a roadmap to exploitation.

The practical implication: the organisations that patch within 48–72 hours of Patch Tuesday dramatically reduce their window of exposure. Those that patch within two weeks face meaningful but manageable risk. Those operating on monthly or quarterly patch cycles are the ones that appear in incident response reports.

What a layered defence looks like for this specific threat

Beyond patching and DNS encryption, a practical layered response for Australian businesses includes:

Network monitoring for anomalous Netlogon traffic. Unusually high volumes of Netlogon authentication requests from a single source, or requests originating from unexpected IP ranges, can indicate scanning or exploitation attempts. Windows Event IDs 4768, 4769, and 5805 are particularly relevant for domain controller anomaly detection.
Backup integrity checks. Because CVE-2026-41089 targets domain controllers — the administrative heart of a Windows domain — ransomware operators find this class of vulnerability attractive as a pivot point. Before an incident occurs, verify that offline or immutable backups of your domain controllers exist and are recoverable. A domain controller backup that was last tested six months ago is a liability, not an asset.
Review remote access paths. If employees access the corporate network via VPN or remote desktop from machines you do not manage — personal laptops, home PCs — those unmanaged endpoints may be unpatched. Enforcing device health checks at the VPN gateway (ensuring connecting devices have current patches before being granted network access) is an effective control that many Australian SMBs have not yet implemented.
ACSC guidance as a practical benchmark. The ASD maintains the alerts and advisories section of cyber.gov.au as a live feed of significant threats and recommended mitigations. Subscribing to ACSC alerts ensures you receive timely guidance on vulnerabilities of this severity without depending on commercial news sources to surface them.

The broader pattern here is one that Australian security researchers have noted in post-incident reviews: the businesses most affected by opportunistic attackers are not those with sophisticated adversaries — they are those that fell behind on routine patch management and lacked the network controls to slow lateral movement once an initial foothold was established. CVE-2026-41096 and CVE-2026-41089 are textbook examples of the vulnerability classes that enable both. Patching them is not glamorous work. It is, however, the most effective single action available this week.

If you are evaluating VPN options to protect remote staff's DNS traffic while your patch rollout completes, our separate guide to NordVPN features and pricing covers the specifics relevant to Australian users, including its AU server presence and jurisdiction considerations under Australian data retention laws.